Talking with Kerberized services using GSS-API

Wyllys Ingersoll wyllys.ingersoll at sun.com
Fri Oct 18 08:15:06 EDT 2002


GSSAPI apps cannot communicate directly with apps that only
speak raw Kerberos (and vice-versa).

The purpose of GSSAPI is to abstract the security mechanism
so that the applications are not locked into a specific mechanism.
Thus from a programming point of view, the client and server
do not ever make any direct calls to the Kerberos API.
The client may tell the server that it wishes to use Kerberos
by specifying the Kerberos_V5 OID value in the initial
token exchanges (gss_init_sec_context, etc).

The on-the-wire GSSAPI protocol is quite different from
Kerberos, thus the incompatibilities.   The RFCs (2743, 2744)
provide alot more information and detail than I can give you in a
brief response here, but what you are trying to do will
never work.

-Wyllys

Christian wrote:
> "Christian" <cgregoir99 at yahoo.com> wrote in message
> news:3dafbb25$0$210$4d4eb98e at read.news.fr.uu.net...
> 
>>Hello guys,
>>
>>I want my application to be able to talk with services secured with
> 
> Kerberos
> 
>>(telnetd for instance). I've started to have a look at MIT's GSS-API
>>examples, but I'm wondering : is it compatible ? I mean, can my app
>>developped with GSS-API talk to services like MIT Kerberos telnetd ?
>>
>>Looking at the gss-client and gss-sserver examples, they have their own
>>implementation of token handling. The GSS-API Programming Guide by SUN
> 
> says
> 
>>that it it the responsability of the application to send and receive
> 
> tokens
> 
>>and manipulate them according to their type.
>>
>>So am I going the right way or should I switch to Kerberos APIs ?
>>
>>Thanks.
>>
>>Christian.
>>
> 
> 
> I've tried to use sserver example (K5 API) along with gss-client example and
> it fails at context initialization. At one step, the client has sent tokens
> and wait for the server to reply. The server runs krb5_recvauth but this
> function never returns, data sent by the client not being in the right
> format i suppose.
> 
> I guess this is not supposed to work Is it the answer to my question, that
> K5 API and GSS-API are not compatible ?
> 
> Christian.
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos





More information about the Kerberos mailing list